MCSE Designing Security for a Windows Server 2003 Network - Exam 70-298 Study Guide
Elias N. Khnaser
Susan Snedaker
Chris Peiris
Rob Amini
Laura E. Hunter ”Technical Editor
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively Makers ) of this book ( the Work ) do not guarantee or warrant the results to be obtained from the Work.
There is no guarantee of any kind, expressed or implied , regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions , when working with computers, networks, data, and files.
Syngress Media , Syngress , Career Advancement Through Skill Enhancement , Ask the Author UPDATE , and Hack Proofing , are registered trademarks of Syngress Publishing, Inc. Syngress: The Definition of a Serious Security Library , Mission Critical , and The Only Way to Stop a Hacker is to Think Like One are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.
| KEY | SERIAL NUMBER |
|---|---|
| 001 | JFE498MVVF |
| 002 | PO98KLSSSY |
| 003 | JKRED279I9 |
| 004 | PLGEPL9989 |
| 005 | CVPL23GHBV |
| 006 | VBPLOP93346 |
| 007 | JDDD43WD3E |
| 008 | 2987JJGGMK |
| 009 | 629DJTKK88 |
| 010 | ITJLLKR45W |
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
MCSE Designing Security for a Windows Server 2003 Network: Exam 70-298 Study Guide & DVD Training System
Copyright 2004 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-932266-55-0
Acquisitions Editor: Catherine B. Nolan'
Technical Editor: Laura E. Hunter
Page Layout and Art: Patricia Lupien
Cover Designer: Michael Kavish
Copy Editor: Darlene Bordwell, Beth A. Roberts
Indexer: Nara Wood
Distributed by O Reilly & Associates in the United States and Jaguar Book Group in Canada.
Acknowledgments
We would like to acknowledge the following people for their kindness and support in making this book possible.
Syngress books are now distributed in the United States by O Reilly & Associates, Inc. The enthusiasm and work ethic at ORA is incredible and we would like to thank everyone there for their time and efforts to bring Syngress books to market: Tim O Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Lynn Schwartz, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop, Tim Hinton, Kyle Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Dawn Mann, Kathryn Barrett, and to all the others who work with us.
The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision remains worldwide in scope.
David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada.
David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands.
Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines.
To all the folks at Malloy who have made things easy for us and especially to Beth Drake and Joe Upton.
Technical Editor & DVD Presenter
Laura E. Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA, A+, Network+, iNet+, CNE-4, CNE-5) is a Senior IT Specialist with the University of Pennsylvania, where she provides network planning, implementation, and troubleshooting services for various business units and schools within the university. Her specialties include Microsoft Windows NT and 2000 design and implementation, troubleshooting, and security topics. As an MCSE Early Achiever on Windows 2000, Laura was one of the first in the country to renew her Microsoft credentials under the Windows 2000 certification structure. Laura s previous experience includes a position as the Director of Computer Services for the Salvation Army and as the LAN administrator for a medical supply firm. She also operates as an independent consultant for small businesses in the Philadelphia metropolitan area and is a regular contributor to the TechTarget family of Web sites.
Laura has previously contributed to the Syngress Publishing s Configuring Symantec Antivirus, Corporate Edition (ISBN 1-931836-81-7). She has also contributed to several other exam guides in the Syngress Windows Server 2003 MCSE/MCSA DVD Guide & Training System series as a DVD presenter, contributing author, and technical reviewer. Laura was recently awarded the prestigious MVP award as a Microsoft Most Valued Professional.
Laura holds a bachelor s degree from the University of Pennsylvania and is a member of the Network of Women in Computer Technology, the Information Systems Security Association, and InfraGard, a cooperative undertaking between the U.S. Government and other participants dedicated to increasing the security of United States critical infrastructures .
Contributors
Rob Amini (MCSE, MCDBA, MCT) is currently a systems manager for Marriott International in Salt Lake City, Utah. He has a bachelor s degree in computer science and has been breaking and fixing the darned machines since the Atari 800 was considered state of the art. In 1993 he began his professional career by fixing quirky IBM mainframes and various unix-flavored boxes. Then, after a long stint as a technician and systems admin, he gained fabled notoriety as a pun-wielding Microsoft trainer. Rob has continued as an instructor for more than three years and although teaching is his first love, he tends to enjoy technical writing more than a well-adjusted person should. When actually not working with and programming a variety of electronic gizmos, Rob enjoys spending every minute he can with his beautiful wife Amy and the rest of his supportive family. Finally, Rob would like to thank his dad, who has always been a wonderful father and great example to him.
Elias N. Khnaser (CCEA, MCSE, CCNA, CCA, MCP + I) is currently the Server Based Computing Architect for General Growth Properties. General Growth Properties is headquartered in Chicago, IL and is the second largest shopping mall owner and operator in the world, counting over 160 malls worldwide and growing. Elias provides senior-level network design, implementation, and troubleshooting of Citrix and Microsoft technologies for the company. Elias is also a contributing author at Techrepublic.com. Prior to working for General Growth Properties, Elias was a Senior Network Engineer at Solus in Skokie, IL, consulting for companies like Motorola, Prime Group Realty Trust, Black Entertainment Television (BET), Dominick s Corporate, and Total Living Network (TLN Channel 38).
Elias would like to acknowledge Steve Amidei and James Smith of General Growth Properties for their infinite support; to Stuart Gabel and Nial Keegan of Solus who opened the door of opportunity; to his friend Joseph K. Eshoo for all his help and encouragement, and to John Sheesley of Techrepublic.com for helping him write better articles. To his friends and family worldwide, this is for you! Finally, Elias would like to dedicate this work to his parents, especially his mother, and to the person that means everything in his life, Nadine Sawaya Didi , for loving and supporting him.
Chris Peiris (MVP, MIT) works as an independent consultant for .NET and EAI implementations . His latest role is with the Department of Employment and Workplace Relations (Australia) as a Systems Architect. He also lectures on Distributed Component Architectures (.NET, J2EE & CORBA) at Monash University, Caulfield, Victoria, Australia. He has been awarded the title Microsoft Most Valuable Professional (MVP) for his contributions to .NET technologies. Chris is designing and developing Microsoft solutions since 1995. His expertise lies in developing scalable, high-performance solutions for financial institutions, G2G, B2B and media groups. Chris has written many articles, reviews and columns for various online publications including 15Seconds, Developer Exchange, and Wrox Press. He co- authored the book C# Web Service with .NET Remoting and ASP.NET by Wrox Press. It was followed by C# for Java Programmers (Syngress, ISBN: 1-931836-54-X), and MCSA/MCSE Managing and Maintaining a Windows Server 2003 Environment: Exam 70-290 (Syngress, ISBN: 1-932266-60-7). Chris frequently presents at professional developer conferences on Microsoft technologies.
His core skills are C++, C#, XML Web Services, Java, .NET, DNA, MTS, Data Warehousing, WAP, and SQL Server. Chris has a Bachelor of Computing, Bachelor of Business (Accounting), and Masters of Information Technology degrees. He is currently under taking a PhD on Web Service Management Framework . He lives with his family in Civic, Canberra, ACT, Australia.
Chris dedicates this book to Kushanthi. In his own words thanks for the love, patience, advice, encouragement and your kindnes and most of all, thanks for putting up with me and being a true friend
Susan Snedaker (MCP, MCT, MCSE+I, MBA) is a strategic business consultant specializing in business planning, development, and operations. She has served as author, editor, curriculum designer, and instructor during her career in the computer industry. Susan holds a master of business administration and a bachelor of arts in management from the University of Phoenix. She has held key executive and technical positions at Microsoft, Honeywell, Keane, and Apta Software. Susan has contributed chapters to five books on Microsoft Windows 2000 and 2003. Susan currently provides strategic business, management and technology consulting services (www.virtualteam.com).
MCSE 70-298 Exam Objectives Map
All of Microsoft s published objectives for the MCSE 70-298 Exam are covered in this book. To help you easily find the sections that directly support particular objectives, we ve listed all of the exam objectives below, and mapped them to the Chapter number in which they are covered. We ve also assigned numbers to each objective, which we use in the subsequent Table of Contents and again throughout the book to identify objective coverage. In some chapters, we ve made the judgment that it is probably easier for the student to cover objectives in a slightly different sequence than the order of the published Microsoft objectives. By reading this study guide and following the corresponding objective list, you can be sure that you have studied 100% of Microsoft s MCSE 70-298 Exam objectives.
Objective Map
| Objective | Objective | Chapter |
|---|---|---|
| 1 | Creating the Conceptual Design for Network Infrastructure Security by Gathering and Analyzing Business and Technical Requirements | 1, 5 |
| 1.1 | Analyze business requirement for designing security. Considerations include existing policies and procedures, sensitivity of data, cost, legal requirements, end- user impact, interoperability, maintainability, scalability, and risk. | 1 |
| 1.1.1 | Analyze existing security policies and procedures. | 1 |
| 1.1.2 | Analyze the organizational requirements for securing data. | 1 |
| 1.1.3 | Analyze the security requirements of different types of data. | 1 |
| 1.1.4 | Analyze risks to security | 1 |
| 1.2 | Design a framework for designing and implementing security. The framework should include prevention, detection, isolation, and recovery. | 1 |
| 1.2.1 | Predict threats to your network from internal and external sources. | 1 |
| 1.2.2 | Design a process for responding to incidents. | 1 |
| 1.2.3 | Design segmented networks. | 5 |
| 1.2.4 | Design a process for recovering services. | 1 |
| 1.3 | Analyze technical constraints when designing security. | 1 |
| 1.3.1 | Identify capabilities of the existing infrastructure. | 1 |
| 1.3.2 | Identify technology limitations. | 1 |
| 1.3.3 | Analyze interoperability constraints. | 1 |
| 2 | Creating the Logical Design for Network Infrastructure Security | 3, 4 |
| 2.1 | Design a public key infrastructure (PKI) that uses Certificate Services. | 3 |
| 2.1.1 | Design a certification authority (CA) hierarchy implementation. Types include geographical, organizational, and trusted. | 3 |
| 2.1.2 | Design enrollment and distribution processes. | 3 |
| 2.1.3 | Establish renewal, revocation and auditing processes. | 3 |
| 2.1.4 | Design security for CA servers. | 3 |
| 2.2 | Design a logical authentication strategy. | 3 |
| 2.2.1 | Design certificate distribution. | 3 |
| 2.2.2 | Design forest and domain trust models. | 4 |
| 2.2.3 | Design security that meets interoperability requirements. | 4 |
| 2.2.4 | Establish account and password requirements for security. | 8 |
| 2.3 | Design security for network management. | 4 |
| 2.3.1 | Manage the risk of managing networks. | 4 |
| 2.3.2 | Design the administration of severs by using common administration tools. Tools include Microsoft Management Console (MMC) Terminal Server, Remote Desktop for Administration, Remote Assistance, and Telnet. | 4 |
| 2.3.3 | Design security for Emergency Management Services. | 4 |
| 2.4 | Design a security update infrastructure. | 4 |
| 2.4.1 | Design a Software Update Services (SUS) infrastructure. | 4 |
| 2.4.2 | Design Group Policy to deploy software updates. | 4 |
| 2.4.3 | Design a strategy for identifying computers that are not at the current patch level. | 4 |
| 3 | Creating the Physical Design for Network Infrastructure Security | 2, 5, 6, 7 |
| 3.1 | Design network infrastructure security. | 5 |
| 3.1.1 | Specify the required protocols for a firewall configuration. | 5 |
| 3.1.2 | Design IP filtering. | 5 |
| 3.1.3 | Design an IPSec policy. | 5 |
| 3.1.4 | Secure a DNS implementation. | 5 |
| 3.1.5 | Design security for data transmissions. | 5 |
| 3.2 | Design security for wireless networks. | 5 |
| 3.2.1 | Design public and private wireless LANs. | 5 |
| 3.2.2 | Design 802.1x authentication for wireless networks. | 5 |
| 3.3 | Design user authentication for Internet Information Services (IIS). | 5, 6 |
| 3.3.1 | Design user authentication for a Web site by using certificates. | 6 |
| 3.3.2 | Design user authentication for a Web site by using IIS authentication. | 6 |
| 3.3.3 | Design user authentication for a Web site by using RADIUS for IIS authentication. | 6 |
| 3.4 | Design security for Internet Information Services (IIS). | 6 |
| 3.4.1 | Design security for Web sites that have different technical requirements by enabling only the _minimum required services. | 6 |
| 3.4.2 | Design a monitoring strategy for IIS. | 6 |
| 3.4.3 | Design an IIS baseline that is based on business requirements. | 6 |
| 3.4.4 | Design a content management strategy for updating an IIS server. | 6 |
| 3.5 | Design security for communication between networks. | 7 |
| 3.5.1 | Select protocols for VPN access. | 7 |
| 3.5.2 | Design VPN connectivity. | 7 |
| 3.5.3 | Design demand-dial routing between internal networks. | 7 |
| 3.6 | Design security for communication with external organizations. | 7 |
| 3.6.1 | Design a extranet infrastructure. | 7 |
| 3.6.2 | Design a strategy for cross-certification of Certificate Services. | 7 |
| 3.7 | Design security for servers that have specific roles. Roles include domain controller, network infrastructure server, file server, IIS server, terminal server, and POP3 mail server. | 2 |
| 3.7.1 | Define a baseline security template for all systems. | 2 |
| 3.7.2 | Create a plan to modify baseline security templates according to role. | 2 |
| 4 | Designing an Access Control Strategy for Data | 8, 9 |
| 4.1 | Design an access control strategy for directory services. | 8 |
| 4.1.1 | Create a delegation strategy. | 8 |
| 4.1.2 | Analyze auditing requirements. | 8 |
| 4.1.3 | Design the appropriate group strategy for accessing resources. | 8 |
| 4.1.4 | Design a permission structure for directory service objects | 8 |
| 4.2 | Design an access control strategy for files and folders. | 9 |
| 4.2.1 | Design a strategy for the encryption and decryption of files and folders. | 9 |
| 4.2.2 | Design a permission structure for files and folders. | 9 |
| 4.2.3 | Design security for a backup and recovery strategy. | 9 |
| 4.2.4 | Analyze auditing requirements. | 9 |
| 4.3 | Design an access control strategy for the registry. | 9 |
| 4.3.1 | Design a permission structure for registry objects. | 9 |
| 4.3.2 | Analyze auditing requirements. | 9 |
| 5 | Creating the Physical Design for Client Infrastructure Security | 10 |
| 5.1 | Design a client authentication strategy | 10 |
| 5.1.1 | Analyze authentication requirements. | 10 |
| 5.1.2 | Establish account and password security requirements. | 10 |
| 5.2 | Design a security strategy for client remote access. | 10 |
| 5.2.1 | Design remote access policies. | 10 |
| 5.2.2 | Design access to internal resources. | 10 |
| 5.2.3 | Design an authentication provider and accounting strategy for remote network access by using Internet Authentication Service (IAS). | 10 |
| 5.3 | Design a strategy for security client computers. Considerations include desktop and portable computers. | 10 |
| 5.3.1 | Design a strategy for hardening client operating systems. | 10 |
| 5.3.2 | Design a strategy for restricting user access to operating system features. | 10 |
Syngress knows what passing the exam means to you and to your career. And we know that you are often financing your own training and certification; therefore, you need a system that is comprehensive, affordable, and effective.
Boasting one-of-a-kind integration of text, DVD-quality instructor-led training, and Web-based exam simulation, the Syngress Study Guide & DVD Training System guarantees 100% coverage of exam objectives.
The Syngress Study Guide & DVD Training System includes:
-
Study Guide with 100% coverage of exam objectives By reading this study guide and following the corresponding objective list, you can be sure that you have studied 100% of the exam objectives.
-
Instructor-led DVD This DVD provides almost two hours of virtual classroom instruction.
-
Web-based practice exams Just visit us at www.syngress.com/_certification to access a complete exam simulation.
Thank you for giving us the opportunity to serve your certification needs. And be sure to let us know if there s anything else we can do to help you get the maximum value from your investment. We re listening.
www.syngress.com/certification
EAN: 2147483647
Pages: 122